''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it.

+

''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'' unless you use the '''-d''' option, so passwords could expire immediately after running it.

Contents

Password Aging

New Accounts

/etc/login.defs and /etc/default/useradd are the files related to password aging on new accounts.

/etc/login.defs:

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.

/etc/default/useradd:

INACTIVE=-1
EXPIRE=

By default, password inactivity (i.e., the number of days after a password is expired in which a user can no longer reset it themselves) and an account expiration date are disabled.

Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. If minlen= is not specified in pam_cracklib, the default minimum password length is 6 characters.

Existing Accounts

/usr/bin/chage is used to modify password aging on existing accounts. chage does not update the last password change field (field 3) in /etc/shadow unless you use the -d option, so passwords could expire immediately after running it.

Example

User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:

A minimum of 7 days between password changes.

Password expiration after 90 days.

Begin warning about password expiration 14 days in advance.

# /usr/bin/chage -m 7 -M 90 -W 14 hutchib

What happens when your password expires?

If the account is inactive (see chage -I and field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.

Password Length and Complexity

Both pam_cracklib and pam_passwdqc are modules used in enforcing password length and complexity. Although pam_passwordqc is more powerful, I'll be using pam_cracklib as its capabilities meet our site's needs and it is already in the PAM stack.

Account Lockout

Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).